You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
147 lines
4.3 KiB
147 lines
4.3 KiB
Index: auth2.c |
|
--- auth2.c.orig 2021-03-02 11:31:47.000000000 +0100 |
|
+++ auth2.c 2021-03-03 08:25:17.978876000 +0100 |
|
@@ -58,6 +58,9 @@ |
|
#endif |
|
#include "monitor_wrap.h" |
|
#include "digest.h" |
|
+#ifdef USE_ALIAS |
|
+#include "match.h" |
|
+#endif |
|
|
|
/* import */ |
|
extern ServerOptions options; |
|
@@ -264,6 +267,10 @@ |
|
char *user = NULL, *service = NULL, *method = NULL, *style = NULL; |
|
int r, authenticated = 0; |
|
double tstart = monotime_double(); |
|
+#ifdef USE_ALIAS |
|
+ int i, n; |
|
+ char *cp; |
|
+#endif |
|
|
|
if (authctxt == NULL) |
|
fatal("input_userauth_request: no authctxt"); |
|
@@ -278,6 +285,25 @@ |
|
if ((style = strchr(user, ':')) != NULL) |
|
*style++ = 0; |
|
|
|
+#ifdef USE_ALIAS |
|
+ for (i = 0; i < options.num_alias; i++) { |
|
+ if (match_pattern_list(user, options.alias[i].alias, strlen(options.alias[i].alias), 0) == 1) { |
|
+ if (style != NULL) { |
|
+ n = strlen(options.alias[i].user) + 1 + strlen(style) + 1; |
|
+ cp = xmalloc(n); |
|
+ snprintf(cp, n, "%s:%s", options.alias[i].user, style); |
|
+ style = strchr(cp, ':'); |
|
+ *style++ = '\0'; |
|
+ } |
|
+ else |
|
+ cp = xstrdup(options.alias[i].user); |
|
+ free(user); |
|
+ user = cp; |
|
+ break; |
|
+ } |
|
+ } |
|
+#endif |
|
+ |
|
if (authctxt->attempt++ == 0) { |
|
/* setup auth context */ |
|
authctxt->pw = PRIVSEP(getpwnamallow(ssh, user)); |
|
Index: servconf.c |
|
--- servconf.c.orig 2021-03-02 11:31:47.000000000 +0100 |
|
+++ servconf.c 2021-03-03 08:25:17.979352000 +0100 |
|
@@ -196,6 +196,9 @@ |
|
options->fingerprint_hash = -1; |
|
options->disable_forwarding = -1; |
|
options->expose_userauth_info = -1; |
|
+#ifdef USE_ALIAS |
|
+ options->num_alias = 0; |
|
+#endif |
|
} |
|
|
|
/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */ |
|
@@ -520,6 +523,9 @@ |
|
sStreamLocalBindMask, sStreamLocalBindUnlink, |
|
sAllowStreamLocalForwarding, sFingerprintHash, sDisableForwarding, |
|
sExposeAuthInfo, sRDomain, sPubkeyAuthOptions, sSecurityKeyProvider, |
|
+#ifdef USE_ALIAS |
|
+ sAlias, |
|
+#endif |
|
sDeprecated, sIgnore, sUnsupported |
|
} ServerOpCodes; |
|
|
|
@@ -678,6 +684,9 @@ |
|
{ "rdomain", sRDomain, SSHCFG_ALL }, |
|
{ "casignaturealgorithms", sCASignatureAlgorithms, SSHCFG_ALL }, |
|
{ "securitykeyprovider", sSecurityKeyProvider, SSHCFG_GLOBAL }, |
|
+#ifdef USE_ALIAS |
|
+ { "alias", sAlias }, |
|
+#endif |
|
{ NULL, sBadOption, 0 } |
|
}; |
|
|
|
@@ -2395,6 +2404,26 @@ |
|
*charptr = xstrdup(arg); |
|
break; |
|
|
|
+#ifdef USE_ALIAS |
|
+ case sAlias: |
|
+ if (options->num_alias >= MAX_ALIAS) { |
|
+ fatal("%s line %d: too many user alias defined.", |
|
+ filename, linenum); |
|
+ } |
|
+ arg = strdelim(&cp); |
|
+ if (arg == NULL || arg[0] == '\0') |
|
+ fatal("%s line %d: missing user name alias(es).", |
|
+ filename, linenum); |
|
+ options->alias[options->num_alias].alias = xstrdup(arg); |
|
+ arg = strdelim(&cp); |
|
+ if (arg == NULL || arg[0] == '\0') |
|
+ fatal("%s line %d: missing user name to map alias '%s' to.", |
|
+ filename, linenum, options->alias[options->num_alias].alias); |
|
+ options->alias[options->num_alias].user = xstrdup(arg); |
|
+ options->num_alias++; |
|
+ break; |
|
+#endif |
|
+ |
|
case sDeprecated: |
|
case sIgnore: |
|
case sUnsupported: |
|
Index: servconf.h |
|
--- servconf.h.orig 2021-03-02 11:31:47.000000000 +0100 |
|
+++ servconf.h 2021-03-03 08:25:17.979556000 +0100 |
|
@@ -229,6 +229,14 @@ |
|
int expose_userauth_info; |
|
u_int64_t timing_secret; |
|
char *sk_provider; |
|
+#ifdef USE_ALIAS |
|
+#define MAX_ALIAS 256 |
|
+ u_int num_alias; |
|
+ struct { |
|
+ char *alias; /* the alias list to match */ |
|
+ char *user; /* the username to map to */ |
|
+ } alias[MAX_ALIAS]; |
|
+#endif |
|
} ServerOptions; |
|
|
|
/* Information about the incoming connection as used by Match */ |
|
Index: sshd_config.5 |
|
--- sshd_config.5.orig 2021-03-02 11:31:47.000000000 +0100 |
|
+++ sshd_config.5 2021-03-03 08:25:17.979860000 +0100 |
|
@@ -106,6 +106,15 @@ |
|
Note that disabling agent forwarding does not improve security |
|
unless users are also denied shell access, as they can always install |
|
their own forwarders. |
|
+.It Cm Alias |
|
+Specifies an optional mapping of a list of user name aliases onto |
|
+real user names. The first argument is a comma separated list of |
|
+user name aliases (optionally prefixed with '!' for negation) to |
|
+match. The characters `*' and `?' can be used as wildcards in the |
|
+alias patterns. The second argument is the real user name onto |
|
+which the aliases are mapped. This allows the use of appealing |
|
+virtual login names (like `anonymous') instead of their physical |
|
+counterparts (like `anoncvs'). |
|
.It Cm AllowGroups |
|
This keyword can be followed by a list of group name patterns, separated |
|
by spaces.
|
|
|